GnuTLS OCSP Stapling Bypass: Accepting Revoked Certs via Crafted Response (CVE-2026-3832)

Bug 2445762 (CVE-2026-3832) - gnutls: Security bypass allows acceptance of revoked server certificates via crafted OCSP response Vulnerability Overview gnutls matches stapled OCSP responses to the server certificate by scanning records, but then unconditionally reads the field. When a multi-record OCSP response is stapled such that record #0 corresponds to a different certificate (status: good) and the matching record for the server certificate appears later (status: revoked), a client with OCSP verification enabled may accept a revoked server certificate. This manifests as an order-dependent accept/reject outcome for the same revoked server certificate. Impact Scope Product: Security Response Component: vulnerability Version: unspecified Hardware: All Operating System: Linux Priority: low Severity: low Remediation Reported: 2026-03-09 13:57 UTC by OSIDB Bzimport Modified: 2026-04-30 17:30 UTC OC List: 8 users Clone: None Environment: None Last Closed: None Embargoed: None Attachments Description: gnutls matches a stapled OCSP response to the server certificate by scanning SingleResponse records, but then reads cert_status from record index 0 unconditionally. When a multi-record OCSP response is stapled such that record #0 is for a different certificate (good) and the matching record for the server certificate is later (revoked), a client with OCSP verification enabled can accept a revoked server certificate. This is observable as an order-dependent accept/reject outcome for the same revoked server certificate.

Goal Reached Thanks to every supporter — we hit 100%!

GnuTLS OCSP Stapling Bypass: Accepting Revoked Certs via Crafted Response (CVE-2026-3832)